Security Bulletin for 30 June 2026: Critical Unauthenticated SQL Injection in EventON, Account Takeover in ProfileGrid and a Deserialization Flaw in Export User Data
30 June 2026 · jproxx Security
This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. For 30 June 2026 we highlight three vulnerabilities disclosed today: two critical flaws that can be exploited without a login, plus a serious deserialization flaw that can lead to code execution.
CVE-2026-9711 — Unauthenticated SQL Injection in the EventON Calendar (critical)
EventON, an events calendar used on many sites for (virtual) events, contains an SQL
injection vulnerability in all versions up to and including 5.0.11 that can be exploited
without a login. The value supplied via the search parameter is incorporated into a
database query without adequate protection, allowing an attacker to inject their own SQL
statements. Because an SQL injection can, in the worst case, read out the entire database
contents — including user accounts and stored password hashes — the impact is severe.
Exploitation requires the plugin’s additional-search-queries setting to be enabled and at
least one published event to exist. The National Vulnerability Database assigns a CVSS score
of 9.8, classifies the flaw as critical and assigns it to weakness class CWE-89 (SQL
injection). At the time of writing no corrected version is listed; operators should update
EventON to the latest available version without delay and, while no fix is available, turn
off the additional search function mentioned above or deactivate the plugin as an immediate
measure.
Sources: National Vulnerability Database — CVE-2026-9711 · CVE Record — CVE-2026-9711
CVE-2026-12073 — Unauthenticated Account Takeover in ProfileGrid (critical)
ProfileGrid, which provides user profiles, groups and communities in WordPress, contains a critical vulnerability in all versions up to and including 5.9.9.5 that can be exploited without a login. Because a function processes a user-controlled key without checking whether the caller is authorized to do so, an attacker without a valid account can change the stored email address of the administrator account to an address they control, then request a login link via the password reset function — and thereby take full control of the site. The National Vulnerability Database assigns a CVSS score of 9.8, classifies the flaw as critical and assigns it to weakness class CWE-639 (authorization bypass through a user-controlled key). This is the second time this week we have seen exactly this pattern — a login-free endpoint without an authorization check that enables account takeover. At the time of writing no corrected version is listed; operators should update ProfileGrid to the latest available version without delay and, while no fix is available, deactivate the plugin.
Sources: National Vulnerability Database — CVE-2026-12073 · Wordfence — ProfileGrid CVE-2026-12073
CVE-2026-12240 — Deserialization Flaw with File Deletion in Export User Data (high)
The Export User Data plugin contains a flaw in its handling of serialized data in all
versions up to and including 2.2.6. Because a path read in via the unserialize processing
is not adequately validated, an arbitrary file on the server can be deleted — for example the
central configuration file wp-config.php, whose removal can in turn pave the way to a full
takeover up to code execution. To exploit it, an already logged-in user with a low role
(Subscriber and above) prepares the relevant data; the manipulation takes effect as soon as
an administrator triggers the export of user data. The National Vulnerability Database
assigns a CVSS score of 8.0, classifies the flaw as high and assigns it to weakness class
CWE-502 (deserialization of untrusted data). At the time of writing no corrected version is
listed; operators should update the plugin to the latest available version without delay or
deactivate it until a fix is released.
Sources: National Vulnerability Database — CVE-2026-12240 · Wordfence — Export User Data CVE-2026-12240
Not sure whether you’re affected? Get in touch.
This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.